15 Bullet Friday – The Best Security News of the Week – 2019.11.22

The Top 15 Security Posts – Vetted & Curated

*Threats & Defense*
1. Attack tools and techniques used by major ransomware families (Help Net Security, Nov 15 2019)
Ransomware is typically distributed in one of three ways: as a cryptoworm, which replicates itself rapidly to other computers for maximum impact (for example, WannaCry); as ransomware-as-a-service (RaaS), sold on the dark web as a distribution kit (for example, Sodinokibi); or by means of an automated active adversary attack, where attackers manually deploy the ransomware following an automated scan of networks for systems with weak protection.

2. Over 100,000 Fake Domains With Valid TLS Certificates Target Major Retailers (SecurityWeek, Nov 15 2019)
Venafi, a company that helps organizations secure cryptographic keys and digital certificates, says it has uncovered over 100,000 typosquatted domains with valid TLS certificates that appear to target major retailers.

3. Security of North American Energy Grid Tested in GridEx Exercise (SecurityWeek, Nov 18 2019)
A major exercise whose goal was to test the cyber and physical security of North America’s grid has enabled the energy industry and governments to review and improve incident response plans and collaboration.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share on Twitter Facebook LinkedIn


*AI, IoT, & Mobile Security*
4. Facebook Discloses WhatsApp MP4 Video Vulnerability (Dark Reading, Nov 18 2019)
A stack-based buffer overflow bug can be exploited by sending a specially crafted video file to a WhatsApp user.

5. 146 New Vulnerabilities All Come Preinstalled on Android Phones (Wired, Nov 15 2019)
The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.

6. NSA won’t collect phone location data, promises US government (Naked Security – Sophos, Nov 18 2019)
US intelligence agencies won’t harvest US residents’ geolocation data in future investigations, revealed the US government this month.

*Cloud Security, DevOps, AppSec*
7. GitHub Security Lab to make open source more secure (Help Net Security, Nov 15 2019)
When a researchers identifies a vulnerability in an open source project and shares the discovery with the GitHub Security Lab team, the team reports it to the publicly-listed security contact for the project or the project maintainers.

8. Official Monero website is hacked to deliver currency-stealing malware (Ars Technica, Nov 19 2019)
GetMonero.com delivers Linux and Windows binaries that steal users’ funds.

9. Macy’s online store compromised in Magecart-style attack (Help Net Security, Nov 19 2019)
The webshop of noted U.S. department store company Macy’s has been compromised and equipped with an information-stealing JavaScript, which ended up collecting users’ personal and payment card information for a week.

*Identity Mgt & Web Fraud*
10. When Bank Communication is Indistinguishable from Phishing (Troy Hunt, Nov 19 2019)
There’s a supremely simple way of banks handling this situation and it was demonstrated by AMEX shortly after the St George incident when they called to verify an unusual credit card transaction. We did the “we want to verify you”, “no I want to verify you” dance after which they simply said, “turn over your card and call us on the number on the back”. How easy is that?!

11. Out of Season IRS Phishing Campaigns (Akamai, Nov 21 2019)
According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide.

12. Most Americans feel powerless to prevent data collection, online tracking (Help Net Security, Nov 18 2019)
Most U.S. adults say that the potential risks they face because of data collection by companies (81%) and the government (66%) outweigh the benefits, but most (>80%) feel that they have little or no control over how these entities use their personal information, a recent Pew Research Center study on USA digital privacy attitudes has revealed.

*CISO View*
13. U.S. manufacturing group hacked by China as trade talks intensified (Reuters, Nov 22 2019)
As trade talks between Washington and Beijing intensified earlier this year, suspected Chinese hackers broke into an industry group for U.S. manufacturers that has helped shape President Donald Trump’s trade policies, according to two people familiar with the matter.

14. How Iran’s Government Shut Off the Internet (Wired, Nov 17 2019)
After years of centralizing internet control, Iran pulled the plug on connectivity for nearly all of its citizens.

15. Twitter finally upgrades its 2FA security feature. Mobile number no longer required! (Graham Cluley, Nov 22 2019)
Hundreds of millions of Twitter users now have an improved way to better safeguard their accounts from being compromised.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn